Method and apparatus for managing subscriber profiles

ABSTRACT

Methods and apparatus for managing subscriber profiles are described herein. In one embodiment, the method includes receiving, from a requester, a request to determine an operation to be performed on a data packet. The method also includes determining profile identifiers associated with the requester, wherein the profile identifiers include, a first-level profile identifier associated with a lower-level profile identifier that defines the operation. The method also includes determining, based on the profile identifiers, that the operation should be performed on the data packet and transmitting an indication of the operation to the requestor, wherein the requestor performs the operation on the data packet.

FIELD

This invention relates generally to the field of telecommunication andmore particularly to delivering network services.

BACKGROUND

In a networking service delivery environment (e.g., a digital subscriberline service environment), it is critical to deploy fast, versatile, andscalable systems. Broadband service providers (e.g., DSL) typicallyoffer a large variety of service plans, which allow subscribers tochoose between various service options. For example, subscribers canchoose between low-cost service plans offering basic services andexpensive service plans offering premium services.

For DSL providers, as the number of subscribers and services increases,so does the amount of system resources needed for tracking subscriberservices. According to one prior art technique, a DSL provider stores alist of services for each subscriber. Such a list can include thesubscriber's maximum bandwidth, available filters (e.g., firewalls),encryption information, virtual private network information, accesscontrol lists, etc. When a subscriber initiates a session, the serviceprovider retrieves the subscriber's service list to determine whichservices are available to the subscriber. As the number of subscribersgrows, repeated fetching of service lists can create computational andcommunication overhead. Moreover, with a large number of subscribers,the space needed for storing service lists can become relatively large.Furthermore, when the DSL provider adds new services, it must updateeach subscriber's service list, consuming system resources andpotentially reducing the system's service capacity.

SUMMARY

Methods and apparatus for managing subscriber profiles are describedherein. In one embodiment, the method includes receiving, from arequester, a request to determine an operation to be performed on a datapacket. The method also includes determining profile identifiersassociated with the requestor, wherein the profile identifiers include,a first-level profile identifier associated with a lower-level profileidentifier that defines the operation. The method also includesdetermining, based on the profile identifiers, that the operation shouldbe performed on the data packet and transmitting an indication of theoperation to the requestor, wherein the requestor performs the operationon the data packet.

In one embodiment, the apparatus includes a virtual interface to receivea data packet from a subscriber computer and to request an operation tobe performed on the data packet, wherein the virtual interface defines aconnection between a router and the subscriber computer. The apparatusalso includes a policy engine to receive the request for an operation,the policy engine including, a virtual interface database to store afirst profile identifier associated with the virtual interface. Theapparatus also includes a profile identifier database to store alower-level profile identifier associated with the first profileidentifier, wherein the lower-level profile identifier indicates theoperation to be performed on the data packet.

BRIEF DESCRIPTION OF THE FIGURES

The present invention is illustrated by way of example and notlimitation in the Figures of the accompanying drawings in which:

FIG. 1 is a dataflow diagram illustrating dataflow occurring inconjunction with configuring a subscriber connection, according toexemplary embodiments of the invention;

FIG. 2 is a block diagram illustrating an operating environment forcertain embodiments of the invention;

FIG. 3 is a block diagram illustrating a virtual router, according toexemplary embodiments of the invention;

FIG. 4 is a flow diagram illustrating operations for creating asubscriber connection, according to exemplary embodiments of theinvention;

FIG. 5 is a flow diagram illustrating operations for returninglower-level information, according to exemplary embodiments of theinvention;

FIG. 6 is a flow diagram illustrating operations for storing lower-levelprofile identifiers, according to embodiments of the invention;

FIG. 7 illustrates tables stored in the policy engine, according toexemplary embodiments of the invention;

FIG. 8 is a flow diagram illustrating operations occurring inconjunction with packet forwarding during a subscriber connection,according to embodiments of the invention; and

FIG. 9 is a flow diagram describing operations for modifying subscriberservices, according to exemplary embodiments of the invention.

DESCRIPTION OF THE EMBODIMENTS

Methods and apparatus for managing subscriber profiles are describedherein. In the following description, numerous specific details are setforth. However, it is understood that embodiments of the invention maybe practiced without these specific details. In other instances,well-known circuits, structures and techniques have not been shown indetail in order not to obscure the understanding of this description.Note that in this description, references to “one embodiment” or “anembodiment” mean that the feature being referred to is included in atleast one embodiment of the invention. Further, separate references to“one embodiment” in this description do not necessarily refer to thesame embodiment; however, neither are such embodiments mutuallyexclusive, unless so stated and except as will be readily apparent tothose of ordinary skill in the art. Thus, the present invention caninclude any variety of combinations and/or integrations of theembodiments described herein. Moreover, in this description, the phrase“exemplary embodiment” means that the embodiment being referred toserves as an example or illustration.

Herein, block diagrams illustrate exemplary embodiments of theinvention. Also herein, flow diagrams illustrate operations of theexemplary embodiments of the invention. The operations of the flowdiagrams will be described with reference to the exemplary embodimentsshown in the block diagrams. However, it should be understood that theoperations of the flow diagrams could be performed by embodiments of theinvention other than those discussed with reference to the blockdiagrams, and embodiments discussed with references to the blockdiagrams could perform operations different than those discussed withreference to the flow diagrams. Moreover, it should be understood thatalthough the flow diagrams may depict serial operations, certainembodiments could perform certain of those operations in parallel.

This description of the embodiments is divided into three sections. Thefirst section presents an overview of exemplary embodiments of theinvention. The second section presents an exemplary system architecture,while the third section describes exemplary operations performed byembodiments of the system.

Overview

This section presents an overview of a telecommunications system formanaging service profile information for a large number of subscribers.

FIG. 1 is a dataflow diagram illustrating dataflow occurring inconjunction with configuring a subscriber connection, according toexemplary embodiments of the invention. In FIG. 1, a telecommunicationssystem 100 includes a subscriber manager 102, profile manager 104,virtual interface 106, and policy engine 108. The exemplary system 100is adapted to provide network services to thousands of subscribers. Eachsubscriber can receive a set of services upon establishing a connectionwith the system 100. The services can include firewalls, variousqualities of service, tunneling support, virtual private networksupport, etc. Although there are numerous services and thousands ofsubscribers, the number of different service combinations is relativelysmall. That is, each of the thousands of users subscribers use one ormore of a relatively small number (e.g., 30) of service contexts, wherea service context refers to a combination of services that a subscriberreceives during a connection. Therefore, each subscriber is associatedwith one or more service contexts.

Each service context can include one or more profile identifiers. Forexample, a service context can include profile identifiers that definethe following services: bandwidth=100 kbps, firewall=high securityfirewall, VPN support=not enabled, and tunneling support=not enabled.The profile identifiers can be organized in a hierarchy. For example, afirst-level profile identifier can define a service or refer to one ormore second-level profile identifiers. The second-level profileidentifiers can either define services or refer to third-level profileidentifiers, and so on.

The dataflow of FIG. 1 describes determining services represented by ahierarchy of profile identifiers. The dataflow is divided into fivestages. At stage one, when establishing a subscriber connection, thesubscriber manager 102 receives a first-level profile identifierassociated with the subscriber. At stage two, the subscriber manager 102requests and receives second-level profile information including asecond-level profile identifier (associated with the first-level profileidentifier) from the profile manager 104.

At stage three, the subscriber manager 102 creates a virtual interface106 and configures the virtual interface 106 according to thesecond-level profile information. In one embodiment, the virtualinterface 106 defines a physical connection to a subscriber. In oneembodiment, the second-level profile information defines inbound andoutbound policies used when forwarding packets through the virtualinterface 106.

At stage four, the second-level profile information is stored in thepolicy engine 108. At stage five, the policy engine requests andreceives additional lower-level profile information includinglower-level profile identifiers for defining services used inconfiguring the virtual interface 106. After the policy engine 108stores the profile information, the system 100 can use the profileidentifiers to define services on other later-created virtual interfacesthat use the same profile identifiers.

Arranging profile identifiers in a hierarchy allows the system 100 toprovide services at a high level of granularity. More specifically,because a first-level profile identifier can refer to severallower-level profile identifiers that define a service, the services canbe very specifically defined. For example, “Premium” Internet service,represented by a first-level profile identifier, can be defined as 1Mbps bandwidth, a premium firewall, and virus protection. The premiumfirewall can be further defined using additional lower-level profileidentifiers. Having highly granular services allows the system to offera broad range of customizable services.

Organizing the profile identifiers in a hierarchy also allows the system100 to modify services without updating each subscriber's profileidentifiers. In one embodiment, the system 100 stores a high-levelprofile identifier for each subscriber. If a service is modified, thesystem 100 does not modify each subscriber's high-level profileidentifiers. In contrast, in one embodiment, the system 100 mayimplement a service change by modifying a common database of lower-levelprofile identifiers.

Exemplary System Operating Environment

This section describes an exemplary operating environment and systemarchitecture, according to embodiments of the invention. Operationsperformed by the exemplary system are described in the next section. Inthis section, FIGS. 2 and 3 are presented.

FIG. 2 is a block diagram illustrating an operating environment forcertain embodiments of the invention. As shown in FIG. 2, personalcomputers (PCs) 202 are connected to modems 206. The modems 206 areconnected to a digital subscriber line access module (DSLAM) 216, whichmultiplexes signals from the modems 206 onto the Internet protocol (IP)network 218. The IP network 218 is connected to a router box 214 thatincludes virtual routers (VRs) 228. The router box 214 is connected tothe Internet 212. The router box 214 is also connected to a dynamic hostconfiguration protocol (DHCP) server 220, web portal 222, RADIUS server224, and control server 226.

Although the router 214 includes three VRs, other embodiments call forany number of VRs or any computing system. In one embodiment, one ormore of the VRs 228 can establish subscriber connections. Whenestablishing the connections, the VRs 228 can use the DHCP server 220for assigning IP addresses to the PCs 202. The VRs 228 can use theRADIUS server 224 to authenticate subscribers. After authenticatingsubscribers, the VRs 228 can configure subscriber connections accordingto service contexts, which refer to services that subscribers receiveduring connections. In one embodiment, the VRs 228 can receive serviceprofile information from the control server 226 and/or the RADIUS server224.

After the VRs 228 establish subscriber connections, they provide accessto the web portal 222, where users can select new services.Additionally, after establishing subscriber connections, the VRs 228process and forward packets over the IP network 218 and the Internet212.

While FIG. 2 describes an exemplary operating environment, FIG. 3describes a virtual router in more detail. FIG. 3 is a block diagramillustrating a virtual router, according to exemplary embodiments of theinvention. As shown in FIG. 3, virtual router 328 includes a subscribermanager 302 connected to virtual interfaces 304 and 316. The virtualinterfaces 304 are connected to a policy engine 306, which is connectedto a profile manager 308. The profile manager 308 is connected to thesubscriber manager 302. The profile manager 308 includes a profile cache310 and the policy engine 306 includes a virtual interface database 312and a profile database 310.

In one embodiment, the subscriber manager 302 processes subscriberconnection requests, while the profile manager 308 stores subscriberprofile information used for establishing subscriber connections andprocessing subscriber data. In one embodiment, the policy engine 306aids in de-referencing subscriber profiles. In one embodiment, theprofile database 314 stores profile identifiers that define subscriberservices, whereas the virtual interface database 312 can storefirst-level profile identifiers and/or services used for definingservices associated with the virtual interfaces (VIs) 304. Operations ofthe virtual router's functional units are described below in the nextsection.

It should be understood that the functional units (e.g., the subscribermanager 302, virtual interface 304, etc.) of the virtual router 328 canbe integrated or divided, forming any number of functional units.Moreover, the functional units can be communicatively coupled using anysuitable communication method (e.g., message passing, parameter passing,and/or signals through one or more communication paths etc.).Additionally, the functional units can be physically connected accordingto any suitable interconnection architecture (e.g., fully connected,hypercube, etc.).

According to embodiments of the invention, the functional units can beany suitable type of logic (e.g., digital logic) for executing theoperations described herein. Any of the functional units used inconjunction with embodiments of the invention can includemachine-readable media including instructions for performing operationsdescribed herein. Machine-readable media include any mechanism thatprovides (i.e., stores and/or transmits) information in a form readableby a machine (e.g., a computer). For example, a machine-readable mediumincludes read only memory (ROM), random access memory (RAM), magneticdisk storage media, optical storage media, flash memory devices,electrical, optical, acoustical or other forms of propagated signals(e.g., carrier waves, infrared signals, digital signals, etc.), etc.

Exemplary Operations

This section describes exemplary operations of the exemplary systemdescribed above. In the following discussion, FIG. 4 describesoperations performed by an embodiment of a subscriber manager. FIG. 5describes operations performed by an embodiment of a profile manager andFIG. 6 describes operations performed by an embodiment of a policyengine.

FIG. 4 is a flow diagram illustrating operations for creating asubscriber connection, according to exemplary embodiments of theinvention. The flow diagram 400 will be described with reference to theexemplary system shown in FIGS. 2 and 3. The flow 400 commences at block402.

At block 402, a subscriber connection request is received. For example,the subscriber manager 302 receives a connection request from a PC 202.The connection request can be a point-to-point protocol (PPP) request ora user activation over a shared medium as in advanced subscribermanagement (ASM) system where subscribers are recognized using sourceinformation of the data packets. In one embodiment, the subscriberconnection request includes subscriber authentication information (e.g.,a subscriber identifier and a password), which can be used toauthenticate the subscriber. The flow continues at block 404.

At block 404, a subscriber authorization request is transmitted. Forexample, the subscriber manager 302 transmits an authorization requestto the Remote Authentication Dial-In User Service (RADIUS) server 224.In one embodiment, the authorization request is an asynchronous messagethat includes the subscriber authentication information. The flowcontinues at block 406.

At block 406, a host identifier and authorization response including oneor more first-level profile identifiers are received. For example, thesubscriber manager 302 receives an authorization response from theRADIUS server 202. The authorization response can include a message, ahost identifier, and one or more first-level profile identifiers. Themessage indicates whether the subscriber was successfully authenticated.The first-level profile identifier defines a subscriber service orrefers to one or more second-level profile identifiers (see discussionabove) and the host identifier indicates where the profile identifiersare stored or indicates the service VR where the subscriber may receiveservice (e.g., the host identifier indicates which of the VRs 230 isstoring second-level profile identifiers). The flow continues at block408.

At block 408, a determination is made about whether the authorizationwas successful. For example, the subscriber manager 302 determineswhether the authorization response included a message indicating thatthe authorization was successful. If the authorization was successful,the flow continues at block 410. Otherwise, the flow continues at block414.

At block 414, the requestor is informed that the session could not becreated. For example, the subscriber manager 302 transmits a message tothe PC 202 informing the subscriber that a session could not be created.From block 414, the flow ends.

At block 410, if necessary, the second-level profile identifier isacquired. For example, the subscriber manager 302 requests and receivesone or more second-level profile identifiers (associated with thefirst-level profile identifier) from a system component. In oneembodiment, the subscriber manager 302 requests and receives thesecond-level profile identifiers from the profile manager 308.Alternatively, the subscriber manager 302 can request and receive theprofile identifiers from another VR 228. According to embodiments, thesecond-level profile identifiers can be stored in any VR's profilemanager, radius server, or other accessible repository. In oneembodiment, the subscriber manager 302 does not need to acquiresecond-level profile identifiers because the first-level profileidentifier(s) explicitly define subscriber services. The flow continuesat block 412.

At block 412, a virtual interface is created and the requester isinformed about the connection. For example, the subscriber manager 302creates a virtual interface 304 and transmits a connection message tothe PC 202. In one embodiment, the virtual interface 304 refers to aphysical connection to between the PC 202 and the router box 214. In oneembodiment, the subscriber manager 302 configures the virtual interface304 based on the profile identifiers. For example, based on the profileidentifiers, the subscriber manager 302 configures inbound and outboundpolicies for the virtual interface 304. From block 414, the flow ends.

While FIG. 4 describes operations performed by an embodiment of asubscriber manager, FIG. 5 describes operations performed by anembodiment of a profile manager. FIG. 5 is a flow diagram illustratingoperations for returning lower-level profile information, according toexemplary embodiments of the invention. The flow diagram 500 will bedescribed with reference to the exemplary system of FIGS. 2 and 3. Inone embodiment, the operations of the flow diagram 500 can be performedby any VR's profile manager. The flow 500 commences at block 502.

At block 502, a profile identifier is received. For example, the profilemanager 308 receives a profile identifier (e.g., a first-level profileidentifier) from the subscriber manager 302 or the policy engine 306.The flow continues at block 504.

At block 504, a determination is made about whether the profile cacheincludes an entry for the profile identifier. The entry can also includeprofile information. Profile information can include a set of attributesthat define the content of a profile. Profile information may beavailable in the profile cache if the profile was previously obtainedfrom a profile server. For example, the profile manager 308 determineswhether its profile cache 310 includes an entry for the profileidentifier. If the profile cache 310 does not include an entry for theprofile identifier, the flow continues at block 508. Otherwise, the flowcontinues at block 506.

At block 506, the profile information is retrieved from the profilecache. For example, the profile manager 308 retrieves lower-levelprofile information (e.g., a second-level or third-level profileinformation) from the profile cache entry. The flow continues at block514.

At block 508, a determination is made about where to request the profileinformation. For example, the profile manager 308 determines where itshould request the profile identifiers. In one embodiment, the profilemanager 308 refers to an ordered list of profile servers to determinewhere to request the profile information. For example, the ordered listcan dictate that the profile manager 308 first request the lower-levelprofile information from the RADIUS server 224. If that request is notsuccessful, the profile manager 308 would then request the lower-levelprofile information from other repositories enumerated in the list(e.g., other VRs 228, the control server 226, etc.) The flow continuesat block 510.

At block 510, the profile information is requested and received. Forexample, the profile manager 308 requests and receives lower-levelprofile information from a system component (e.g., the RADIUS server224). The flow continues at block 512.

At block 512, the profile information is stored in the profile cache.For example, the profile manager 308 stores the lower-level profileinformation in its profile cache 310. The flow continues at block 514.

At block 514, the profile information is returned to the requester. Forexample, the profile manager 308 returns the profile information to asystem component (e.g., the policy engine 314). From block 514, the flowends.

FIG. 6 is a flow diagram illustrating operations for storing lower-levelprofile identifiers, according to embodiments of the invention. In oneembodiment, flow diagram 600 describes operations performed by thepolicy engine. The flow diagram 600 will be described with reference tothe exemplary system of FIGS. 2 and 3. The flow diagram 600 commences atblock 602.

At block 602, a profile identifier is received. For example, the policyengine 306 receives a profile identifier from the virtual interface 304when a subscriber's inbound or outbound policy is set or changed. Theflow continues at block 604.

At block 604, a determination is made about whether the profileinformation including the profile identifier is stored in the profiledatabase. In one embodiment, the policy engine 306 searches its profiledatabase 314 for the profile information using the profile identifier.

A brief example of searching for a lower-level profile identifier in theprofile database 314 is described below, in conjunction with FIG. 7.FIG. 7 illustrates tables stored in the policy engine, according toexemplary embodiments of the invention. Tables 704 and 706 includehierarchical profile identifiers. In particular, table 704 includesfields associating first-level profile identifiers with second-levelprofile identifiers. For example, in table 704, first-level profileidentifier S1 is associated with second-level profile identifiers F1,F2, and F3. Table 706 includes fields for associating second-levelprofile identifiers with third-level profile identifiers. For example,in table 706: 1) second-level profile identifier F1 is associated withthird-level profile identifier A1; 2) second-level profile identifier F2is associated with third-level profile identifiers A2 and A4; and 3)second-level profile identifier F3 is associated with third-levelprofile identifiers A1 and A3.

Based on the tables 704 and 706, the policy engine 306 can determinewhether a particular profile identifier is associated with a lower-levelprofile identifier by dereferencing the profile identifiers. Forexample, using tables 704 and 706, the policy engine 306 can determinethat first-level profile identifier S1 is associated with third-levelprofile identifiers A1, A1, A2 and A3. In one embodiment, thethird-level profile identifiers define services that can be performedduring subscriber sessions. In one embodiment, the relationshipsrepresented in the tables 704 and 706 can be represented in a singletable.

Referring back to FIG. 6, if the profile identifier is in the profiledatabase 314, the flow ends. Otherwise, the flow continues at block 605.

At block 605, profile information associated with the profile identifieris obtained and stored in the profile database. For example, the policyengine 306 obtains, from the profile manager 308, the profileinformation associated with the profile identifier and stores theprofile information in its profile database 314. In one embodiment, theprofile information includes a field associated with the lower-levelprofile identifier. In one embodiment, the profile identifier is notassociated with a lower-level profile identifier. As noted above, theprofile identifier can explicitly define subscriber services. From block605, the flow continues at block 606.

At block 606, a determination is made about whether there are one ormore lower-level profile identifiers associated with the profileidentifier. In one embodiment, the policy engine 306 determines whetherthere are lower-level profile identifiers associated with the profileidentifier by examining the profile information associated with theprofile identifier. In one embodiment, the policy engine 306 determineswhether there are more lower-level profile identifiers associated withthe profile identifier by examining lower-level profile informationassociated with previously obtained lower-level profile identifiers. Inone embodiment, if there are not one or more lower-level profileidentifiers associated with the profile identifier, the profileidentifier explicitly defines one or more subscriber services. In oneembodiment, if there are one or more lower-level profile identifiers,the profile identifier explicitly defines one or more subscriberservices and each of the one or more lower-level profile identifiersdefines one or more additional subscriber services. In one embodiment,the one or more lower level profile identifiers and the profileidentifier together define a service one or more subscriber services. Ifthere are more lower-level profile identifiers associated with theprofile identifier, the flow continues at block 608. Otherwise, the flowends.

At block 608, the lower-level profile information associated with theone or more profile identifiers is requested and received. For example,the policy engine 306 requests the lower-level profile informationassociated with the one or more profile identifiers from the profilemanager 308. The flow continues at block 610.

At block 610, the lower-level profile information is stored in theprofile database. For example, the policy engine 306 stores thelower-level profile information in its profile database 314. In oneembodiment, the policy engine 306 stores additional information (e.g., ahandle) for the lower-level profile in a field along with the profileidentifier to provide quicker access to the lower level profile withoutrequiring to search the profile database. From block 610, the flowcontinues at block 606.

FIGS. 4-7 describe operations for initializing virtual interfaces andestablishing subscriber connections. However, FIG. 8 describesoperations for forwarding packets during a subscriber connection.

FIG. 8 is a flow diagram illustrating operations occurring inconjunction with packet forwarding during a subscriber connection,according to embodiments of the invention. The flow diagram 800 will bedescribed with reference to the exemplary system of FIGS. 2 and 3. Theflow diagram 800 commences at block 802.

At block 802, a request is received, where the request is to determinewhether a packet should be forwarded and other operations performed. Forexample, the policy engine 306 receives a request from the virtualinterface 304 to determine whether a packet should be forwarded andwhether other operations should be performed on the packet (e.g.,operations regarding a firewall, QoS, etc.). The flow continues at block804.

At block 804, the determination about whether to forward/operate onpackets is made based on one or more profile identifiers associated withthe requestor. For example, the policy engine 306 determines whether thepacket should be forwarded and whether other operations are to beperformed based on one or more profile identifiers associated with thevirtual interface 304. In one embodiment, the policy engine 306 looks inthe virtual interface database 312 to determine a first-level identifierassociated with the virtual interface 304. The policy engine 306de-references the first-level profile identifier (using the profiledatabase 314) to determine whether there are any lower-level profileidentifiers associated with the virtual interface 304. Afterde-referencing the profile identifiers, the policy engine 306 can usethe lower-level profile identifiers to determine whether the packetshould be forwarded/operated upon. Because the lower-level profileidentifiers define services (e.g., a firewall) to apply to the packet,the policy engine 304 can decide whether to forward the packet. The flowcontinues at block 806.

At block 806, the results of the determination are transmitted. Forexample, the policy engine 306 transmits the results to the virtualinterface 304. In one embodiment, after the virtual interface 304forwards and/or performs other operations on data packets based on thedetermination. From block 806, the flow ends.

According certain embodiments, the system 200 can alter existingservices and/or add new services any time during the operation of therouter box 214. As part of a process for modifying services, the system200 can redefine associations between first-level profile identifiersand lower-level profile identifiers. The premium service package caninitially include a 1 Mbps bandwidth service, where the premium servicepackage is associated with a first-level profile identifier, and wherethe 1 Mbps bandwidth service is associated with a lower-level profileidentifier. After the system 200 has been running for some time, thepremium service package can be “upgraded” to include 5 Mbps bandwidthservice instead of 1 Mbps bandwidth service. In order to make theupgrade available, a virtual router 228 can dissociate the premiumservice package's first-level profile identifier from the 1 Mbpslower-level identifier. It can then associate the premium servicepackage's first-level profile identifier with a lower-level profileidentifier that defines bandwidth service at 5 Mbps. As a result ofmodifying the profile identifiers, the virtual router 228 can modifyservices without requiring users to reestablish connections and withoutupdating data for each subscriber in the system.

In one embodiment, the system performs the following operations formodifying services. FIG. 9 is a flow diagram describing operations formodifying subscriber services, according to exemplary embodiments of theinvention. The flow diagram 900 will be described with reference to theexemplary system of FIGS. 2 and 3. The flow diagram 900 commences atblock 902.

At block 902, service profile changes are requested from a systemcomponent that was previously used to resolve profiles. For example, theprofile manager 308 requests new/modified profile identifiers from theRADIUS server 224 or other component of the system 200. In oneembodiment, the profile manager 308 can request profile identifiers fromany system component that it previously used to resolve subscriberprofiles. The flow continues at block 904.

At block 904, a determination is made about whether there has been aresponse. For example, the profile manager 308 determines whether it hasreceived a response from the system component (e.g., the control server226). In one embodiment, the response can be an asynchronous responsereceived anytime. If there has been a response, the process continues atblock 910. Otherwise, the process continues at block 906.

At block 906, a determination is made about whether there are othersystem components from which modified profile information can beobtained. For example, the profile manager 308 can search a list ofsystem components (e.g., an ordered list of VRs, Radius Servers or otherprofile servers) that could contain profile information. Based on thesearch, the profile manager 308 can determine which system componentsmay contain modified profile information.

If there are system components other than those already queried thatcould include modified profile information, the flow continues at block908. Otherwise, the flow continues at block 912.

At block 908, profile changes are requested from another systemcomponent. For example, the profile manager 308 requests profile changesfrom another system component, such as the RADIUS server 224. In oneembodiment, the profile manager 308 determines the other systemcomponent by searching an ordered list of components. The flow continuesat block 904.

At block 910, a determination is made about whether any profile changeswere returned from the system components. If profile changes werereturned from system components, the flow continues at block 912.Otherwise, the flow ends.

At block 912, all applications that use the profile are updated. Forexample, the profile manager 308 can transmit profile changes to anysystem component that is currently using the relevant profile. As a morespecific example, profile manager 308 can transmit modified profileidentifiers to the policy engine 306.

In one embodiment, system components that use the service profile areupdated about the profile refresh failure (e.g., a profile refreshfailure occurs when the flow arrives at block 912 by taking the “no”path from blocks 904 and 906). For example, the policy engine 306 isinformed of a profile refresh failure. As a result, the policy engine306 can remove from the profile database one or more lower-level profileidentifiers associated with the service profile's first-level profileidentifier. The profile manager 306 can be updated later, when newlower-level profile identifiers are available.

In another embodiment, system components that use the service profileare not updated about the profile refresh failure. In this case, thesystem components (e.g., the policy engine 306 continue to use previousprofile identifiers. This enables the system 200 to operate normallyduring temporary network outages, when profile information may not beavailable. From block 912, the flow ends.

Although the flow 900 ends after block 912, in one embodiment, systemcomponents can wait some time period and begin executing flow 900 fromblock 902. In one embodiment, depending on the number profile refreshfailures, the time period changes. In one embodiment, the systemcomponent can stop executing flow 900 after some number of profilerefresh failures.

Thus, methods and apparatus for managing subscriber profiles aredescribed herein. Although the present invention has been described withreference to specific exemplary embodiments, it will be evident thatvarious modifications and changes may be made to these embodimentswithout departing from the broader spirit and scope of the invention.Accordingly, the specification and drawings are to be regarded in anillustrative rather than a restrictive sense.

1. A method comprising: defining each of a plurality of service contextsavailable to subscribers of a service provider in terms of one or moreprofile identifiers of a plurality of profile identifiers each of whichis representative of a particular subscriber service supported by theservice provider; providing a scalable subscriber profile database inwhich a memory requirement for the scalable subscriber profile databaseis dependent upon a number of available service contexts byhierarchically organizing the plurality of profile identifiers asintermediate profile identifiers and leaf profile identifiers, whereinthe leaf profile identifiers explicitly define subscriber services andthe intermediate profile identifiers indirectly represent sets of one ormore subscriber services, which are defined by way of the intermediateprofile identifiers' associations with one or more lower-levelidentifiers including zero or more of the leaf profile identifiers andzero or more of the intermediate profile identifiers; wherein thescalable subscriber profile database is distributed between anauthentication system of the service provider and a plurality of virtualrouters (VRs), wherein a first portion of the scalable subscriberprofile database is stored within the authentication system, the firstportion of the scalable subscriber profile database includinginformation indicative of associations among the subscribers andcorresponding first-level profile identifiers representing a subset ofthe intermediate profile identifiers and a second portion of thescalable subscriber profile database is stored within a profile manageroperable within each of the plurality of VRs, the second portionincluding information indicative of the associations among the subset ofintermediate profile identifiers and the one or more lower-levelidentifiers; receiving, by a subscriber manager of a virtual router (VR)of the plurality of VRs of a VR-based telecommunications system of theservice provider, a subscriber connection request from a subscriber ofthe service provider; responsive to the subscriber connection request,determining, by the subscriber manager, the subscriber's service contextbased on the first-level profile identifier associated with thesubscriber and the scalable subscriber profile database, whereindetermining the service context includes requesting, from the firstportion of the scalable profile database, the first-level profileidentifier and requesting, from the second portion of the scalableprofile database, the one or more lower-level profile identifiersassociated with the first level profile identifier; and establishing, bythe subscriber manager, the subscriber connection by configuring avirtual interface associated with the VR based on the subscriber'sservice context.
 2. The method of claim 1, wherein the subscriber'sservice context includes a combination of services including a pluralityof a firewall service, an antivirus service, virtual private networksupport and tunneling support.
 3. The method of claim 1, furthercomprising prior to said determining, by the subscriber manager, thesubscriber's service context: causing, by the subscriber manager, thesubscriber connection request to be authenticated by the authenticationsystem; and if the subscriber connection request is affirmativelyauthenticated by the authentication system, then receiving by thesubscriber manager from the authentication system, the first-levelprofile identifier.
 4. The method of claim 3, wherein said determining,by the subscriber manager, the subscriber's service context comprisesthe subscriber manager causing the profile manager of the VR todereference intermediate profile identifiers, if any, associated withthe first-level profile identifier based on the second portion of thescalable subscriber profile database.
 5. The method of claim 1, whereinthe authentication system comprises a Remote Authentication Dial-In UserService (RADIUS) server.
 6. A tangible machine-readable storage mediumembodying instructions, which when executed by one or more processors ofa virtual router (VR) based telecommunications system of a serviceprovider performs a method for establishing a subscriber connection, themethod comprising: receiving, at a VR of a plurality of VRs configuredto operate within the telecommunications system, a subscriber connectionrequest from a subscriber of the service provider; responsive to thesubscriber connection request, determining the subscriber's servicecontext based on a first-level profile identifier associated with thesubscriber and a scalable subscriber profile database, wherein each of aplurality of service contexts available to subscribers of the serviceprovider are defined in terms of one or more profile identifiers of aplurality of profile identifiers each of which is representative of aparticular subscriber service supported by the service provider; whereina memory requirement for the scalable subscriber profile database isdependent upon a number of available service contexts by hierarchicallyorganizing the plurality of profile identifiers as intermediate profileidentifiers and leaf profile identifiers, wherein the leaf profileidentifiers explicitly define subscriber services and the intermediateprofile identifiers indirectly represent sets of one or more subscriberservices, which are defined by way of the intermediate profileidentifiers' associations with one or more lower-level identifiersincluding zero or more of the leaf profile identifiers and zero or moreof the intermediate profile identifiers; wherein the scalable subscriberprofile database is distributed between an authentication system of theservice provider and the plurality of virtual routers (VRs), wherein afirst portion of the scalable subscriber profile database is storedwithin the authentication system, the first portion of the scalablesubscriber profile database including information indicative ofassociations among the subscribers and corresponding first-level profileidentifiers representing a subset of the intermediate profileidentifiers and a second portion of the scalable subscriber profiledatabase is stored within a profile manager operable within each of theplurality of VRs, the second portion including information indicative ofthe associations among the subset of intermediate profile identifiersand the one or more lower-level identifiers; wherein determining theservice context includes requesting, from the first portion of thescalable profile database, the first-level profile identifier andrequesting, from the second portion of the scalable profile database,the one or more lower-level profile identifiers associated with thefirst-level profile identifier; and establishing the subscriberconnection by configuring a virtual interface associated with the VRbased on the subscriber's service context.
 7. The machine-readablestorage medium of claim 6, wherein the subscriber's service contextincludes a combination of services including a plurality of a firewallservice, an antivirus service, virtual private network support andtunneling support.
 8. The machine-readable storage medium of claim 6,the method further comprising prior to said determining the subscriber'sservice context: causing the subscriber connection request to beauthenticated by the authentication system; and if the subscriberconnection request is affirmatively authenticated by the authenticationsystem, then receiving from the authentication system, the first-levelprofile identifier.
 9. The machine-readable storage medium of claim 8,wherein said determining the subscriber's service context comprisescausing the profile manager of the VR to dereference intermediateprofile identifiers, if any, associated with the first-level profileidentifier based on the second portion of the scalable subscriberprofile database.
 10. The machine-readable storage medium of claim 6,wherein the authentication system comprises a Remote AuthenticationDial-In User Service (RADIUS) server.